lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050729185039.D75285@ubzr.zsa.bet>
Date: Sat Jul 30 00:57:33 2005
From: measl at mfn.org (J.A. Terranson)
Subject: Cisco IOS Shellcode Presentation


On Fri, 29 Jul 2005, Jason Coombs wrote:

> Frank Knobbe wrote:
> > What he has done is not say "Here's a bug that I can exploit". He has
> > said "This IOS is capable of exploitation beyond current belief". And it
> > will be for the foreseeable future.
>
>
> Precisely. And Lynn pointed out that Cisco routers use general purpose
> CPUs -- therefore Cisco's own engineers chose purposefully to build a
> vulnerable device.
>
> Cisco is responsible for this entire mess. Had they engineered a secure
> product around a CPU that was not general purpose, none of this would be

Jason, I both like and respect you, but you are wrong here.  You just flat
out don't know what you're talking about.

This has nothing to do with the choice of "a general purpose CPU", it is a
result of a specific architecture within the CPU chosen.  There is a real
difference here.

You're talking like this was a negligent choice made in total disregard of
known facts by Cisco, and that just isn't so.  And deep down, you *know*
that's true too (although it removes your premise and robs you of some
wonderful /rants).  Sure, Cisco chose a poor architecture, and we know
that today.  That doesn't mean that this was understood in the setting
under which the decisions were made.  This goes back a loooonnnnngggggg
way.  The fact is, IOS is pretty well put together, and considering it's
running on an obviously deficient platform and has withstood all comers up
to now is pretty amazing.

They fucked up.  They'll have to fix it then.  But thats not the same as
the gross negligence they're being accused of.

<FullDisclosure> I am not a Cisco fan, and Jason can attest to that.
Also, I own no stock or have any other interest in Cisco.</FullDisclosure>


-- 
Yours,

J.A. Terranson
sysadmin@....org
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)

Powered by blists - more mailing lists